VYPR

rpm package

suse/python-Django&distro=SUSE Linux Enterprise Module for Package Hub 15 SP7

pkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7

Vulnerabilities (20)

  • CVE-2026-8404LowJun 3, 2026
    affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached

  • CVE-2026-7666LowJun 3, 2026
    affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo

  • CVE-2026-6873LowJun 3, 2026
    affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff

  • CVE-2026-48587LowJun 3, 2026
    affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi

  • CVE-2026-35193LowJun 3, 2026
    affected < 4.2.11-150600.3.59.1fixed 4.2.11-150600.3.59.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att

  • CVE-2026-25674Mar 3, 2026
    affected < 4.2.11-150600.3.50.1fixed 4.2.11-150600.3.50.1

    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w

  • CVE-2025-14550Feb 3, 2026
    affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an

  • CVE-2026-1312Feb 3, 2026
    affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered

  • CVE-2026-1287Feb 3, 2026
    affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m

  • CVE-2026-1285Feb 3, 2026
    affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause

  • CVE-2026-1207Feb 3, 2026
    affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and

  • CVE-2025-13473Feb 3, 2026
    affected < 4.2.11-150600.3.47.1fixed 4.2.11-150600.3.47.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang

  • CVE-2025-64460Dec 2, 2025
    affected < 4.2.11-150600.3.44.1fixed 4.2.11-150600.3.44.1

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via

  • CVE-2025-13372Dec 2, 2025
    affected < 4.2.11-150600.3.44.1fixed 4.2.11-150600.3.44.1

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.

  • CVE-2025-64459Nov 5, 2025
    affected < 4.2.11-150600.3.41.1fixed 4.2.11-150600.3.41.1

    An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansio

  • CVE-2025-59682Oct 1, 2025
    affected < 4.2.11-150600.3.33.1fixed 4.2.11-150600.3.33.1

    An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths s

  • CVE-2025-59681Oct 1, 2025
    affected < 4.2.11-150600.3.33.1fixed 4.2.11-150600.3.33.1

    An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionar

  • CVE-2025-57833Sep 3, 2025
    affected < 4.2.11-150600.3.30.1fixed 4.2.11-150600.3.30.1

    An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.ali

  • CVE-2025-48432Jun 5, 2025
    affected < 4.2.11-150600.3.24.1fixed 4.2.11-150600.3.24.1

    An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forger

  • CVE-2025-32873May 8, 2025
    affected < 4.2.11-150600.3.21.1fixed 4.2.11-150600.3.21.1

    An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. Th